On Sat, Nov 1, 2014 at 8:15 AM, Kaspar Brand <httpd-dev.2...@velox.ch> wrote: > On 29.10.2014 16:42, Yann Ylavic wrote: >> On Wed, Oct 29, 2014 at 2:52 PM, Mikhail T. <mi+t...@aldan.algebra.com> >> wrote: >>> That would solve our problem, though some may wonder about the subtle >>> differences between "any" and "all" :-) More seriously, it would also make >>> the config-files incompatible with earlier httpd-releases -- whereas the >>> patch I linked to does not have this problem. > > Definitely agreeing with Mikhail. Adding "Any" as another option is just > likely to cause even more confusion (and I'm also not in support of adding > things like "safe", just for the records).
Well, I must admit ANY may be confusing (but definitively not a compatibility issue). How about SSLv2Hello keyword (à la JDK), should we agree on a real issue caused by "ALL -SSLv3" (see below)? This might also be confusing though, one may think this is the whole SSLv2 protocol... The real questions IMO is: Is SSLv2Hello replied with TLSv1.x server hello really safe against MITM/poodle/other attacks? IOW, is it safe to accept SSLv2Hello whereas SSLv2 and SSLv3 are disabled? I couldn't find any pointer to this answer, only conjectures about not being treated unsafe by poodle vulnerabilty (online) detectors... Clearly, is it worth handling it? > > Without clear steps on how to reproduce the problem (what httpd version, > what OpenSSL version, what client, what SSLProtocol settings), I'm fairly > doubtful that there really is a problem here. From a quick glance at > OpenSSL's s23_srvr.c:ssl23_get_client_hello(), I fail to see any reason > why the current mod_ssl code in > ssl_engine_init.c:ssl_init_ctx_protocol() would disable the acceptance > of an SSLv2 compatible ClientHello when a single protocol setting (cases > like protocol == SSL_PROTOCOL_TLSV1) is active. I also posted a reproducer in this thread... The problem is that with OpenSSL 0.9.8, "ALL -SSLv3" leaves only SSL_PROTOCOL_TLSV1, and TLSv1_server_method() won't accept SSLv2Hello (according to my own tests with openssl s_client). With OpenSSL 1.x, all SSL_PROTOCOL_TLSV1* are still active, and httpd will use SSLv23_server_method(), hence SSLv2Hello is accepted. > > Reading further down on the serverfault entry referenced earlier [1], > the "real" OP (Matt Hughes, i.e. the one who posted to httpd-users, in > the thread mentioned by Jeff) meanwhile came to the conclusion that his > problem "was a non-issue all along. Apache will accept SSLv2 handshake > with either of the configurations I posted above". In fact, I have no > problem to connect to httpd/mod_ssl with "SSLProtocol TLSv1", when > using "openssl s_client -cipher RC4-MD5 -connect ...", (provided that > RC4-MD5 is still enabled server-side). In that case, I'm seeing an > SSLv2 compatible hello, with TLS 1.0 getting negotiated in the end. openssl s_client (with no protocol option, eg. -tls1/-ssl3/...) uses SSLv2Hello. The serverfault's OP does not mention the version of openssl used by his httpd. Regards, Yann.
